New features

Constant expressions

It is now possible to provide a scalar expression involving numeric and
string literals and/or constants in contexts where PHP previously expected
a static value, such as constant and property declarations and default
function arguments.

The hash_equals() function has been added to compare
two strings in constant time. This should be used to mitigate timing
attacks; for instance, when testing crypt() password
hashes (assuming that you are unable to use
password_hash() and
password_verify(), which aren't susceptible to timing
attacks).

gost-crypto hash algorithm

The gost-crypto hash algorithm has been added. This
implements the GOST hash function using the CryptoPro S-box tables as
specified by
» RFC 4357, section 11.2.

SSL/TLS improvements

A wide range of improvements have been made to the SSL/TLS support in PHP
5.6. These include
enabling peer verification by default,
supporting certificate fingerprint matching, mitigating against TLS
renegotiation attacks, and many new
SSL context options to allow more fine
grained control over protocol and verification settings when using
encrypted streams.

The pgsql extension now supports
asynchronous connections and queries, thereby enabling non-blocking
behaviour when interacting with PostgreSQL databases. Asynchronous
connections may be established via the
PGSQL_CONNECT_ASYNC constant, and the new
pg_connect_poll(), pg_socket(),
pg_consume_input() and pg_flush()
functions may be used to handle asynchronous connections and queries.